Tuesday, August 4, 2009

Undetectable Rogue Access Points


The wireless security risk that receives the most attention is that of a rogue access point. Rogue 802.11 devices are most often connected to an 802.3 Ethernet data port by an employee who dose not realize the consequences of his actions. The issue is that the rogue device is now a portal to your 802.3 wired infrastructure. Anyone who can connect to the wireless rogue device now can potentially attack network resources via the wireless portal. WIDS solutions were first developed to detect rogue access point and rogue devices. Not only have WIDS solutions proved to be effective at detecting rouge WI-Fi devices but the same solutions have been extended to automatically disable the rouge devices using a number of published and unpublished termination methods.

The problem is that certain types of rogue access points currently go undetected because of the layer 1 analysis limitations of the WIDS/WIPS solutions. The 802.11 radio cards that reside inside a WIDS/WIPS solutions are designed to understand other Wi-Fi signals. Therefore any rogue device that uses the standard Wi-Fi protocols will be detected fairly instantly. (Although devises that use Wi-Fi in non-standard ways such as operating on a non-standard center frequency may not be easily detected). And devices that use other protocols will also not be detected. Examples of these non-Wi-Fi rogue devices include devices that use frequency hopping spread spectrum (FHSS) radio protocols. Legacy 802.11 access points that were manufactured from 1997-1999 often used a frequency hopping protocol called 802.11 FH. Additionally, a consortium of mobile wireless vendors called the HomeRF

Working Group used to exist. These vendors manufactured non-802.11 access points that also used FHSS transmissions in the 2.4 GHz frequency range. Although 802.11 FH and HomeRF devices are no longer sold, they are widely available at very little cost on eBay and other auction retailers. Bluetooth radios also use FHSS transmissions in the 2.4 GHz frequency range. Because Bluetooth radios are in many devices that also have Ethernet connectivity (Such as laptops), Bluetooth radios should also be considered a potential rogue threat.

Bluetooth radios can all be used by an attacker as rogue devices and will go undetected by current WIDS/WIPS solutions. In fact, because of this weakness, they make very attractive approaches for someone trying to maliciously install an open port onto your network. The proper tool needed to detect and locate these rogue devices is a spectrum analyzer. Spectrum analyzers can detect all types of non-WiFi radio devices, including frequency hopping radios. In fact, some analyzers can look at the RF signature of the device, and determine exactly what type of non-WiFi radio has been found. Another potential rogue device that can go undetected is an access point that transmits in a frequency range not supported by 802.11 radios. 802.11 radios either transmit in the unlicensed 2.4 GHz ISM frequency band or in the unlicensed 5 GHz UNII frequency bands. Non-802.11 wireless networking equipment exists that operates in the 902-928 MHz unlicensed ISM frequency band. Only a spectrum analyzer that sweeps the 900 MHz frequency range could detect this type of device because 802.11 radios do not listen in 900 MHz frequency range.

A Layer 2 WIDS/WIPS solution is still a recommended solution for detection and prevention of many 802.11 rogue devices. But adding a full-time spectrum analysis solution provides for greater detection of a wider range of rogue devices.

No comments:

Post a Comment